June 27, 2006

microsoft security manager calls users stupid

A couple of months ago, Mike Danseglio, the Program Manager for the Security Solutions group at Microsoft blamed users for the Windows security nightmare, saying "there really is no patch for human stupidity."

Nice one, Mike.

Actually, Mike, there really is no patch for that kind of blame shifting. We make software and it's our job to make it work. Designing and building software is an extremely complex process but it is not magic and it is not only possible to make it safe, it's a requirement.

The makers of internet connected software, primarily browsers and email programs, have created sophisticated platforms for web developers and for those who would do the user harm. Microsoft, with its dominance in the browser and email markets, walked away from improving that platform in 2001 and gave the bad guys half a decade -- and remember, this is "Internet time", half a decade to build ever more sophisticated attacks against users.

This is not some mystery. Microsoft and Netscape built some very powerful technology . In just a few short years they brought hundreds of millions of people online. The security nightmare, though, didn't begin until the leading browser makers left those users to fend for themselves. While Netscape isn't completely free from blame (see Netscape 7 sans pop-up blocker) it is Microsoft that left the majority of users out in the cold for five years while the bad guys developed ever more sophisticated attacks using the tools Microsoft provided.

Here are a couple of examples from the last five or six years:

When it became obvious that pop-ups were not just a nuisance, but a major vector for spyware and adware, we added a pop-up blocker to Mozilla (back at the beginning of 2001). It took IE almost 4 more years to offer the feature in IE -- and then only to XP SP2 users which left hundreds of millions of other Windows users at the mercy of one of the major vectors for malware.

For years, Mozilla struggled with website compatibility issues because it did not support Microsoft's ActiveX technology, another major vector for security attacks on users. Not only would it have been a lot of work to reverse engineer and build Mozilla support for ActiveX, it would have opened Mozilla up to some of the worst threats on the Web. It would have been a bad idea. With the upcoming IE 7 (promised almost a year and a half ago) Microsoft says that "allowing ActiveX controls to run in IE should be the exception". Good idea. And only about 5 years late.

Like I said above, it's really pretty simple. Software makers can choose to side with the user and safety, or not. At Mozilla, we put the user first. Always. We spend our days working to improve the Web for users and to protect them from the bad guys. At Microsoft, at least some have decided it's better spend their time calling users stupid and blaming them for the problem.

You have a choice when it comes to the Internet software you use. But even more important, you have a choice in the companies and organizations that build that software.

Posted by asa at 6:58 AM